Symptoms

In Google search results, your site links are marked with a “This site may harm your computer” warning and you see an abrupt decrease in Google search traffic.

When trying to open your web pages, users of Firefox 3 and Google Chrome browsers see a warning that your site is an “attack site”.

If your site is registered with Google Webmaster Tools or AdWords, you receive an email from Google notifying that your site is a reported attack site and some of your web pages link to the following sites that host malicious software: 94 .247 .2 .0/ and gogo2me .net/

Google’s Safe Browsing Diagnostics pages for your site also report that your site links to 94 .247 .2 .0/ and gogo2me .net/

Detection

Temporarily disable JavaScript in your browser (if you don’t want to get infected) and open your site. In the browser’s menu choose “view source” and search for the following code:

It is usually located right after the <body> tag or after the closing </html> tag.

If found, this hidden IFrame is followed by a long obfuscated script that does all the bad things. This script starts with a code that looks like this:

<script>function c102916999516l4956a7e7c979e(l4956a7e7c9b86){...

The actual content of this script vary from site to site but it always starts with a function with a long name containing random chars and digits.

Hidden IFrame in Unmask Parasites

The easier and safer way to detect this exploit is to check suspected web pages with Unmask Parasites.

The hidden iframe is easily detected and reported in the External References section. The distinctive feature of this particular exploit is this strange iframe source: “http://url/”

I don’t know why hackers injected this IFrame that doesn’t load anything. Maybe it was a script kiddie who forgot to replace the placeholder with a real URL. Or maybe this harmless iframe was injected just to check if the files are really writable and then they injected really malicious code. Who knows.

How this exploit works?

IFrames

IFrame is a third party page inserted into your own web page. There are multiple totally legitimate applications of iframes (e.g widgets, previews, etc.) but hackers also like iframes because they can have unsuspecting web surfers load malicious web pages while browsing legitimate websites.

To hide the fact that a web page contains unwanted iframes, hackers make their iframes invisible. For example, in this exploit the first iframe is created with width and height of 1 pixel – visually it’s just a point. In addition they specify a style that makes it invisible: style=’visibility: hidden;’

Obfuscated script

While hidden IFrames are invisible to web surfers, they can be easily detected in the HTML code. To hide iframes in the HTML, hackers inject obfuscated scripts that create iframes on the fly when someone loads web pages. When you check the HTML code of such web pages you don’t see any iframes, just some JavaScript with unclear purpose with no URLs and suspicious words within it. And since many modern web pages contain dozens of third-party scripts (e.g. ads, statistics, widgets, etc.) webmasters usually overlook such scripts.

To hide malicious code, hackers encode their scripts multiple time, so that even if you execute such a script you’ll get just another obfuscated script.

In this exploit, the malicious script decodes itself and creates another encoded script, which in turn creates the following hidden (note the style) iframe (I slightly changed the iframe source):

Yes. This is that “94 .247 .2 .0/” site. Google always replaces the last number in IP addresses with 0 in its security reports.

So what is so malicious in this iframe?

This last IFrame loads a small (about 7Kbytes) binary file (gzipped script) that exploits Windows and browser vulnerabilities to infect your site visitors’ computers .

I sent this file to VirusTotal, and it was detected as virus by only 2 (Sophos and Microsoft) out of 39 antivirus tools. So even most fresh antiviruses won’t prevent the infection. Every site visitor is potentially in danger.

This is why Google blacklists your site if it finds hidden links to malware software.

How to clean up?

I don’t have information about how this malicious code is being injected into web pages, so I can only provide some general common-sense advice.

Locate and remove the malicious code (the iframe and the script) from your server files (or upload a fresh copy from a backup).

Write-protect files (644 permissions on *nix).

Check your local computer for viruses and spyware.

Change all site-related passwords (FTP, Control Panel, etc.)

You might also want to contact your hosting provider to investigate the issue.

Reader's Comments (29)

I’m the webmaster of this website, and this error keeps happening. I’ve done everything suggested above, and it still happens. I send a “clean” version of the website, and within 3 hours the malicious code re-appears. I’m at my wits end now, I have no idea why this is happening, and am getting concerned as the business the website is for gets most of it’s customers through the website, and because of the google message regarding it being unsafe I’ve had to take the main part of it down.

If there’s anything you can suggest to help I would be more than grateful!

It looks like you are using Dreamweaver for your site. Are you storing FTP password in it? There is a theory that some trojans can steal FTP passwords stored in Dreamweaver. I don’t have any proofs though.

I have found the solution (I hope so)… Wat you need to do is firstly block the
ip: 77.221.133.188
You need to give your files 644 privilege, and folders with 755 privilege..
and then send MSG to Google to rectifier warning.

I happened to find this Ip details and found that this ip is from Europe. Firstly I do’t have any visitors from Europe, second point is after this Ip visitor is not showing any browser details, Lastly after this ip visitor my site was effected again.. But ya blocking Ip is not the final solution… Even though i have blocked the Ip my site has been effected again.. If any body has any suggestion please help me out…

why do you say block that IP? aren’t there hackers from IPs all over the universe? don’t they do things like spoof their IP #s and such? or use proxies? And we have done all the recommended steps but these hackers do it anyway and I have no idea how. except it is the crappiest hosting service we could have chosen and they won’t refund our money.

Meanwhile is Anyone using servage.net for hosting? If you are, 99% chance the iframe injection has happened to you and you don’t even know it — they are the worst and they hate their customers because they will not do anything to help fix or secure their servers or help customers nor even admit they have a problem.

They blame their customers and offer no help to customise your security settings to prevent hackers — who return within hours to re-hack and reinject the malicious code injections.

We’ve been battling this one and other variations here at work for a while now.

We are 99.99% sure the root cause is ftp credentials being harvested on local machines via some unrecognized malware and being feed over to lists used by the ‘bad guys’. The bad guys then turn their scripts loose on these ftp accounts, they cruise through the site injecting the mentioned code into any file matching the criteria.

I don’t believe that this is always done through a compromised ftp login. This type of hack has now transformed into something very nasty. It actually has the ability to change the domain’s directory permissions to 777.

I also have some doubts, but it’s the best explanation I have when see pure html statics websites exploited. There is no way to inject SQL commands or some nasty script. And yes, using FTP, intruders can change file/directory permissions.

Do you have evidence that this exploit changes directory permissions to 777?

Do any of you have an update? We’ve been experiencing this problem also – except that there is no evidence in the event log, or IIS logs, or FTP logs. Do any of you have logfiles showing this exploit? I personally do not believe that it is FTP .

James, I checked your site and found the Gogo2me obfuscated iframe there so I removed the link to your site from your comment (so that other visitors don’t get infected if they click on your link).

You don’t actually need any programming skills. Just replace server files with a clean copy. Make sure your own computer is not infected by spyware. Then change all passwords. Don’t store your passwords inside programs that upload files to server. And consider contacting your hosting provider.

“Temporarily disable JavaScript in your browser (if you don’t want to get infected) and open your site”.

Do you possibly know, precisely which browsers are vulnerable? Should I simply avoid using Internet Explorer? Is browsing using a Firefox 3 with JavaScript enabled safe? I would rather not disable JS completely, but if it is necessary, I will.

Also, say I found and downloaded some antivirus software which correctly detects the malware that the injected IFRAME elements download (http://www.virustotal.com/analisis/3dfacd15cfe5b67d14a3d03b8ac27a32). If I scan the computer with them, am I 100% safe? Maybe that binary executable is just assistant software, which then downloads the virus itself?…

I am afraid that these are rhetorical questions, at least for now, but possible answers will be appreciated. :)

The advice about disabling JavaScript was made only to detect the malicious script on a web page. It’s only for webmasters who want to find what’s wrong on their site. No advise here is intended to regular web surfers.

Every browser is vulnerable. Get yourself a decent antivirus and firewall. Update your browser and OS regularly. Move to a Mac or Linux to minimize security threats. If you are using FireFox – consider the NoScript plugin.

No antivirus is perfect. You can get the antivirus that detects that particular malware, but what about thousands of other viruses and spyware?

Long story short I found a script that will go in and clean up your site. It was $10 and well worth it. You don’t have to know any code so James your in luck.

The code is only set up for “goooogleadsence . biz” so if your attack is from a different site you have to change the name. Easiest thing to do is find and replace that url with the your pest url, save, run and repeat the process for other urls. In my case I had 3 different ones.

I’ve had the same problem on my test server these last few weeks. Thankfully I have nightly backups. Anyway, after some research I thought it might be related to PHP’s register_globals setting. Turns out I was right. The damn setting was on.

Now that I’ve cleared it, attacks have stopped. You all might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.

My site received the same attack recently…
I believe the FileZilla FTP credentials were being used by some virus…
Changed passwords to my ftp accounts, and set file/directory permissions to 644/755, cleaned up my windows system.. and since then have moved to Ubuntu… didn’t see the attack again in last two weeks.